Share this story

Update 7:23pm ET: As this post was being reported, Zoom developers reversed their previous position and issued an update that changes the contested behavior.

"Initially, we did not see the Web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process," Zoom's Jonathan Farley wrote. "But in hearing the outcry from our users in the past 24 hours, we have decided to make the updates to our service."

The update makes the following changes:

complete removal of the local Web server and

an addition to the menu that allows users to remove the app

Zoom developers also added new details about a previously mentioned update, which is now scheduled for Friday. It will

allow returning users to update their video preferences and make video OFF by default at any time through the Zoom client settings

What follows is the story as it ran earlier:

One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop. If the webcam is covered by tape or a sticker, they likely are. A recently published report on the Zoom conferencing application for Macs underscores why this practice makes sense.

Researcher Jonathan Leitschuh reported on Monday that, in certain cases, websites can automatically cause visitors to join calls with their cameras turned on. It's not hard to imagine this being a problem for people in their bathrobes or in the middle of a sensitive business conference since a malicious link would give no warning in advance it will open Zoom and broadcast whatever is in view of the camera.

Zoom developers almost certainly intended the behavior to make it easier to use the Web conferencing app. But unless users have properly tweaked their settings in advance, Lietschuh's findings show how miscreants can turn this ease-of-use against unwitting users. A proof-of-concept exploit is available here, but reader be warned: depending on your Zoom settings, your webcam may soon be transmitting whatever it sees to perfect strangers.

"This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission," Leitschuh wrote.

Leitschuh is mostly correct there. Clicking the link will automatically open Zoom and join a call. But as mentioned earlier, video is collected only when Zoom is configured to begin conferences with a camera turned on. Some media reports and social media commentators have said this behavior allows websites to "hijack" a Mac webcam. I'd argue that's a stretch since (1) it's fairly obvious that Zoom is opening and broadcasting whatever the camera sees and (2) it's easy to immediately leave the conference or simply turn off the camera.

What's more, preventing the video grab involves a one-time click to a box in the Zoom preferences that keeps video turned off when joining a video. But user beware: even when this setting is on, sites still can force Macs to open Zoom and join a conference.

That's not to say the threat Leitschuh disclosed is mere handwaving. It's not. But it underscores the near-impossible balancing act developers must strike. Make a feature too hard to use and people will move to a competing product. Make it too easy and attackers may abuse it to do bad things the developer never imagined.

In this case, Zoom developers should have warned that the ability to automatically join a conference with video turned on was a powerful feature that could be used to compromise users' privacy. Instead, the developers left it up to users to decide with no up-front guidance. (By contrast, audio is automatically turned off when joining a Zoom conference.) In other words, Zoom developers made this automatic webcam joining way too easy. In retrospect, thanks to Leitschuh's post, that's easy to see.

In a response to Leitschuh's disclosure Zoom's Richard Farley said the company will roll out an update this month that will "apply and save the user's video preference from their first Zoom meeting to all future Zoom meetings." Farley didn't say if Zoom will provide the guidance many users will need to make an informed choice.

An always-on webserver

Leitschuh's research uncovered another behavior by Zoom for Mac that is also unsettling to security-conscious people. The app installs a webserver that accepts queries from other devices connected to the same local network. This server continues to run even when a Mac user uninstalls Zoom. Leitschuh showed how this webserver can be abused by people on the same network to force Macs to reinstall the app.

This clearly isn't good. While the webserver is only accessible to devices on the same network, that still exposes people using untrusted networks. And if hackers were ever to come across a code-execution vulnerability in the webserver, the potential for abuse is even higher. Farley said Zoom introduced the webserver as a way to work around a change introduced in Safari 12 that requires users confirm with a click each time they want to start the Zoom app prior to joining a meeting.

"We feel that this is a legitimate solution to a poor user-experience problem, enabling our users to have faster, one-click-to-join meetings," Farley wrote. "We are not alone among video-conferencing providers in implementing this solution."

Convenience is the enemy of security

As is the case with the auto-on webcam when joining meetings, Zoom's implementation of a webserver is a convenience that comes at the potential cost of security. Neither behavior represents a critical vulnerability, but they do suggest Zoom developers could do more to lock down the Mac version of their app, particularly for users who may have less awareness of security issues.

And this is where precautions such as tape over a webcam come in. Users can never be sure developers have adequately safeguarded their apps against hacks or abuse, so the responsibility falls on end users to compensate. Other ways to protect against abuses of Zoom or other Web conference software is to use an app such as Little Snitch and configure it to give the conferencing software Internet access for only limited amounts of time. Another self-help protection is to configure macOS so that Zoom only has access to the webcam at specific times when it's needed.

Promoted Comments

I was turned off the software from the start, since their Mac OS .pkg installer used the preinstall scripts to download and install the software, and didn't deploy any actual OS packages. This was strike one for me.

Strike two was how insistent they are about installing their persistent desktop client. Nobody needs to bug me that much to install it. It just screams shady behaviour. Not to mention how crappy their desktop client is. It feels like a rushed Windows app ported to Mac OS by inexperienced developers.

Note that if you get Zoom meetings frequently, you do not have to install their client to join them. Every Zoom link also allows you to join the meeting from the browser, with completely zero downsides. No installation required. Full webcam and audio.

Uh, no? The developers responded to the story (not Ars' presentation of it specifically AFAIK, but the publicity of the issue generally) by publishing an update that addressed some of the vulnerabilities it brought to light. Nothing in the original story was inaccurate.

"We feel that this is a legitimate solution to a poor user-experience problem, enabling our users to have faster, one-click-to-join meetings," Farley wrote. "We are not alone among video-conferencing providers in implementing this solution."

Wow.

I feel that the only legitimate reason to install a web server is to serve web pages.

I feel it’s never OK to install a web server without disclosure.

I feel that your definition of “problem” and mine are very different.

And last but not least, if all of the other video-conferencing providers jumped off a cliff, would you jump too?

The original disclosure recommends removing all of ~/.zoomus and then touch'ing it as well as chmod 000'ing it to prevent the app from putting it back.

It's not clear to me that every Mac with Zoom installed actually runs this helper -- it may only be certain subsets. I have two Macs with Zoom installed (one of which was actually in a Zoom meeting when this news broke), and neither was running the server process.

I don't think I've ever launched Zoom from Safari, though. That may be the key.

(Not saying this justifies Zoom's decisions, but the footprint may not be as large as imagined.)

I was turned off the software from the start, since their Mac OS .pkg installer used the preinstall scripts to download and install the software, and didn't deploy any actual OS packages. This was strike one for me.

Strike two was how insistent they are about installing their persistent desktop client. Nobody needs to bug me that much to install it. It just screams shady behaviour. Not to mention how crappy their desktop client is. It feels like a rushed Windows app ported to Mac OS by inexperienced developers.

Note that if you get Zoom meetings frequently, you do not have to install their client to join them. Every Zoom link also allows you to join the meeting from the browser, with completely zero downsides. No installation required. Full webcam and audio.

Is it just me or should all computer video cameras be designed to not record unless the LED is on and red? When recording, immutable hardware lights up the red "i am recording" LED. So video cannot flow unless the LED is on. Whenever data flows out, the LED lights up.

As far as webcam tape goes, I feel like an entirely valid reason for it is not wanting to join what you thought was an audio meeting (or press the wrong button during a meeting) and have everybody discover you're calling in from a room with dirty dishes, an unmade bed and looking like you haven't slept in a week (In my defense, I went back to school recently).

Long and short, I don't want video from my computer for any reason unless I specifically set it up myself.

If I’m remembering correctly, for a long time Macs have had the camera indicator light hardwired to the camera so the light will always be on if the camera is operating since the light is not controlled by firmware or software. That’s why I don’t bother taping over it. Though I’m willing to risk a quick peek, while others might not.

I have heard in the past of instances where laptops didn’t have the light hardwired so they could be hacked to turn on the camera without the light coming on. In that case, or if there was no indicator light at all, I would definitely tape over the camera.

Very few manufacturers have released the information you would need to determine whether the camera in your computer works that way. So in general, you should assume the LED is controlled by software/firmware and can be disabled.

Is it just me or should all computer video cameras be designed to not record unless the LED is on and red? When recording, immutable hardware lights up the red "i am recording" LED. So video cannot flow unless the LED is on. Whenever data flows out, the LED lights up.

How hard can it be to make this so?

That is how Apple computers are setup. There is a hardware connection between the camera and a bright LED next to it. Older computers may not have that and other manufacturers may not.

Is it just me or should all computer video cameras be designed to not record unless the LED is on and red? When recording, immutable hardware lights up the red "i am recording" LED. So video cannot flow unless the LED is on. Whenever data flows out, the LED lights up.

How hard can it be to make this so?

That is how Apple computers are setup. There is a hardware connection between the camera and a bright LED next to it. Older computers may not have that and other manufacturers may not.

Older Macs also may not have that: source. That's a 2013 academic paper demonstrating a successful hack against a 2008 MacBook in which video was captured without the recording indicator light coming on. My summary, which might or might not be accurate: the firmware for the micro controller in cameras of that era was supplied by USB on every boot, and could be used to prevent the pin that normally indicates standby mode from representing the actual standby state.

Didn't find a mention in this story or the comments (unless I screwed up the search), but Beaumont's tweet and other stories are pointing out that the Zoom code references the well-known RingCentral...their software is also involved and needs to be looked at and called out if needed.

Is it just me or should all computer video cameras be designed to not record unless the LED is on and red? When recording, immutable hardware lights up the red "i am recording" LED. So video cannot flow unless the LED is on. Whenever data flows out, the LED lights up.

How hard can it be to make this so?

That is how Apple computers are setup. There is a hardware connection between the camera and a bright LED next to it. Older computers may not have that and other manufacturers may not.

Older Macs also may not have that: source. That's a 2013 academic paper demonstrating a successful hack against a 2008 MacBook in which video was captured without the recording indicator light coming on. My summary, which might or might not be accurate: the firmware for the micro controller in cameras of that era was supplied by USB on every boot, and could be used to prevent the pin that normally indicates standby mode from representing the actual standby state.

I believe Apple basically solved this in recent Macs by routing the webcam and microphone through the T1/T2 security chips that also power the Touch Bar on MacBook Pros. An attacker would have to pwn the chip firmware before they could even think about touching the webcam firmware. I'm not sure about models between 2008 and 2016 though.

In Chrome if you give a website permission to use the camera or mic it has that permission forever, meaning

1. if you come back to the site it can use the mic or camera immediately without asking, whether or not you're ready.

2. If the site is in an iframe on another site it can access your mic or camera immediately without asking.

It's arguable it was designed this way for support Google Hangouts.

Firefox on the other hand has a 3rd option, effectively "give permission this one time".

For a website I'd argue that's the only permission you should be allowed to give it, never permanent . Anything else is too much power, especially given the iframe issue which means any site could put a 1 pixel tracking "iframe" from another site you gave permission (slack, skype, hangouts, facebook, etc) and then use your camera or mic as you browse the web.

Ars should really do an article on this to push Chrome and Firefox to rethink how the feature works. Having a safer UX where Hangouts for example has to pop up a "Can SoNSo.com Access Camera/Mic?" each time would not be a bad user experience IMO. Heck, I wish native apps had to do that.

This incident is Apple's entire rationale for why they should be able to act as intermediary between the user and developers. Apple tried to improve security for the user, and the developer actively made it worse. There's no way this would have made it through the AppStore, and if for some reason it did, Apple would be able to remotely blacklist it.

I like Zoom - I use it a lot, but this is really shitty behavior and this is going to be exhibit #1 in their antitrust case against the App Store. I know Apple's 30% isn't popular, but this kind of behavior simply reinforces the case for it.

One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop

I take a little exception at this... the view from my webcam is the LAST thing I'm worried about in computer security. I regularly see users with tape over their webcams, blissfully browsing facebook and instagram, typing passwords with one finger, and walking away from their unlocked consoles. Tape over the webcam is security theater at it's finest. If ever I get blackmailed, it will be for what's on my screen, not what's in front of it.

Tape over the webcam is part of a layered defense strategy. Keeping your software up to date and disabling known attack vectors (I'm looking at you, JavaScript) is only part of that same strategy.

The way I know someone isn't involved in, or isn't very good at, computer security is they *don't* have their camera covered. That person browsing FarceNook or Narcigram might have taken several layers of precaution which enable them to do that with reasonable assurance that they won't be the unwitting victim of an exploit.

Even the very best will probably get caught out at some time or another. OpSec is incredibly difficult. Computer security experts need to be correct every single time and they need to be continually ahead of the game. An attacker only needs to get lucky once and a sufficiently motivated attacker might make many attempts.

One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop

I take a little exception at this... the view from my webcam is the LAST thing I'm worried about in computer security. I regularly see users with tape over their webcams, blissfully browsing facebook and instagram, typing passwords with one finger, and walking away from their unlocked consoles. Tape over the webcam is security theater at it's finest. If ever I get blackmailed, it will be for what's on my screen, not what's in front of it.

That's you, and personally I agree. But there have been numerous stories of sextortion, where people surreptitiously record the webcam and extort money or more naked pictures/videos from the victims. I'm personally not super vulnerable (and it sounds like you aren't either) to this extortion (vs the infosec risks if someone were to crack my password manager), but that's not true for many users.

I take computer security very seriously. I keep my software up-to-date, I use Noscript, I generate long random keys to use instead of passwords, et cetera. I do not put tape over any cameras.

If intruders would get into my computer, then I expect that they'd be much more interested in nabbing various files, including crypto keys, than in watching my face as I'm looking at the screen. My sensitive data are stored on the disk, not written on my forehead.

This! I take exception to the assertion that"One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop. If the webcam is covered by tape or a sticker, they likely are."No. I know that the cam light on my MacBook Pro 2015 is hardwired in-camera making it impossible to turn on the cam without also turning on the light. And I make sure my system is updated and i don't generally install things willy nilly. As stated above, turning on my webcam without my knowledge is not a concern, actual hard to detect things like keyloggers is.

I take deep offense at the idea that you should “just disable video” after Video has already been sent. The user should always be asked whether they want to enable video before joining a new conference room, at the minimum.

I was turned off the software from the start, since their Mac OS .pkg installer used the preinstall scripts to download and install the software, and didn't deploy any actual OS packages. This was strike one for me.

Strike two was how insistent they are about installing their persistent desktop client. Nobody needs to bug me that much to install it. It just screams shady behaviour. Not to mention how crappy their desktop client is. It feels like a rushed Windows app ported to Mac OS by inexperienced developers.

Note that if you get Zoom meetings frequently, you do not have to install their client to join them. Every Zoom link also allows you to join the meeting from the browser, with completely zero downsides. No installation required. Full webcam and audio.

Get rid of this trash from your system.

What about for hosting meetings?

On a previous work computer I ended up installing their client to share my desktop after not being able to find an in browser based alternative when asked to demo something mid-call?

That experience also left me wondering why anyone would bother since the software's pushing to install a desktop client made it a few orders of magnitude more annoying to deal with than just clicking a share desktop (or view shared desktop) button on the UberConference page that's my employers normal screen share and voice conferencing tool.

Farley said Zoom introduced the webserver as a way to work around a change introduced in Safari 12 that requires users confirm with a click each time they want to start the Zoom app prior to joining a meeting.

So basically they are maliciously circumventing an intentional security feature of the OS/browser. Apple should blacklist their app and prevent it from running until they remove the web server and play by the rules.

The fact that this could be done is in itself, bad security news for Apple, since this was not an issue on Windows.

Kind of makes me wonder what other stuff you can get away with running via a packaged server.

Really? They did this just to not have to click the "Allow" button in the browser?

I think we should mark a limit between ease-of-use and dangerous laziness. Seriously, this is like not locking the door when you leave because putting the key in the keyhole and turning it is "too hard".

One of the easiest ways to tell if someone is a practitioner of computer security is to look at their laptop

I take a little exception at this... the view from my webcam is the LAST thing I'm worried about in computer security. I regularly see users with tape over their webcams, blissfully browsing facebook and instagram, typing passwords with one finger, and walking away from their unlocked consoles. Tape over the webcam is security theater at it's finest. If ever I get blackmailed, it will be for what's on my screen, not what's in front of it.

Why not both?

While I agree the biggest threat is APT (Advanced persistent threat, call it rootkit or whatever) not just on your PC but a server you may be connecting to also, because that could cost you your financial identity or bank account balance, but seriously a view into your house exploitable by some creep on the internet? Heck no.

I call in to video meetings multiple times per day, sometimes up to five separate meetings. Peeling off a piece of tape each time, especially if I’m running late, seems like a pain in the ass. I suspect most people that use tape rarely or never use the camera. But even in that case, the ugliness of the tape would bother me on my otherwise very nice looking laptop. Just out of curiosity, do you tape up all of the cameras on your phone as well? If not, why are you half assing it and only doing it on your laptop?

Zoom is the client I use for video calls by the way, but I’ve always had the feature that automatically activates video when joining a call disabled, which prevents this exploit from working. That feature is dangerous, not because of hackers, but because I sometimes work from home and call in half naked. It’s not hard to hit the start video button after joining a call.

I take deep offense at the idea that you should “just disable video” after Video has already been sent. The user should always be asked whether they want to enable video before joining a new conference room, at the minimum.

Zoom can be configured to not automatically start the camera when joining a call. I’ve always had that disabled.

Just remembered... from the makers of the absolutely essential LittleSnitch, there's also the less essential but nonetheless useful MicroSnitch, which runs quietly in the background until there's either a new video and/or audio recording device connected to your machine or some process activated such a device that's already been connected.

Not a silver bullet by any means, let alone an excuse to abandon best practices while computing, but definitely a useful and affordable extra layer of protection.

(No, I'm neither an Obdev employee, nor am I in any way affiliated with them)

Just remembered... from the makers of the absolutely essential LittleSnitch, there's also the less essential but nonetheless useful MicroSnitch, which runs quietly in the background until there's either a new video and/or audio recording device connected to your machine or some process activated such a device that's already been connected.

Not a silver bullet by any means, let alone an excue to abandon best practices while computing, but definitely a useful and affordable extra layer of protection.

(No, I'm neither an Obdev employee, nor am I in any way affiliated with them)

ObjectiveSee provides something similar through Oversight, but for free. One of the nice features Oversight has is the ability to block microphone/camera access when it occurs, which I don't recall MicroSnitch provides (I've used both, but most recently the former).